Presentation on theme: "Research in Cloud Security and Privacy"— Presentation transcript:
1Research in Cloud Security and Privacy Modified from Bharat Bhargava, Anya Kim, YounSun Cho
2Outline Part I: Introduction Part II: Security and Privacy Issues in Cloud ComputingPart III: Possible Solutions
3Part I. Introduction Cloud Computing Background Cloud Models Why do you still hesitate to use cloud computing?Causes of Problems Associated with Cloud ComputingTaxonomy of FearThreat Model
4Cloud Computing Background FeaturesUse of internet-based services to support business processRent IT-services on a utility-like basisAttributesRapid deploymentLow startup costs/ capital investmentsCosts based on usage or subscriptionMulti-tenant sharing of services/ resourcesEssential characteristicsOn demand self-serviceUbiquitous network accessLocation independent resource poolingRapid elasticityMeasured service“Cloud computing is a compilation of existing techniques and technologies, packaged within a new infrastructure paradigm that offers improved scalability, elasticity, business agility, faster startup time, reduced management costs, and just-in-time availability of resources”Government and Military sectors: complicated procurement rules and stringent security requirementsCloud-based categories:Cloud-based applications (SAAS)Cloud-based development (e.g. Google App Engine)Cloud-based infrastructure (e.g. Amazon’s EC2)From  NIST4
5A Massive Concentration of Resources Also a massive concentration of riskexpected loss from a single breach can be significantly largerconcentration of “users” represents a concentration of threats“Ultimately, you can outsource responsibility but you can’t outsource accountability.”From  John McDermott, ACSAC 09
6Cloud Computing: who should use it? Cloud computing definitely makes sense if your own security is weak, missing features, or below average.Ultimately, ifthe cloud provider’s security people are “better” than yours (and leveraged at least as efficiently),the web-services interfaces don’t introduce too many new vulnerabilities, andthe cloud provider aims at least as high as you do, at security goals,then cloud computing has better security.From  John McDermott, ACSAC 09
7Cloud Models Delivery Models Deployment Models SaaSPaaSIaaSDeployment ModelsPrivate cloudCommunity cloudPublic cloudHybrid cloudManagement Models (trust and tenancy issues)Self-managed3rd party managed (e.g. public clouds and VPC)Trust and tenancy issues as well as loss of control related to the management modelFrom  NIST
8Impact of cloud computing on the governance structure of IT organizations From  Cloud Security and Privacy by Mather and Kumaraswamy
9If cloud computing is so great, why isn’t everyone doing it? The cloud acts as a big black box, nothing inside the cloud is visible to the clientsClients have no idea or control over what happens inside a cloudEven if the cloud provider is honest, it can have malicious system admins who can tamper with the VMs and violate confidentiality and integrityClouds are still subject to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks
10Causes of Problems Associated with Cloud Computing Most security problems stem from:Loss of controlLack of trust (mechanisms)Multi-tenancyThese problems exist mainly in 3rd party management modelsSelf-managed clouds still have security issues, but not related to aboveData mobility: the ability to share data between cloud servicesWhere does data reside?- out-of-state, out-of-country issuesSecurity Concerns for government in particularFISMAHow to certify and accredit cloud computing providers under FISMA(e.g. ISO 27001)10
11Loss of Control in the Cloud Consumer’s loss of controlData, applications, resources are located with providerUser identity management is handled by the cloudUser access control rules, security policies and enforcement are managed by the cloud providerConsumer relies on provider to ensureData security and privacyResource availabilityMonitoring and repairing of services/resources
12Lack of Trust in the Cloud Trusting a third party requires taking risksDefining trust and riskOpposite sides of the same coin (J. Camp)People only trust when it pays (Economist’s view)Need for trust arises only in risky situationsDefunct third party management schemesHard to balance trust and riske.g. Key Escrow (Clipper chip)Is the cloud headed toward the same path?Chiles and McMakin (1996) define trust as increasing one’s vulnerability to the risk of opportunistic behavior of another whose behavior is not under one’s control in a situation in which the costs of violating the trust are greater than the benefits of upholding the trust.Trust here means mostly lack of accountability and verifiability
13Multi-tenancy Issues in the Cloud Conflict between tenants’ opposing goalsTenants share a pool of resources and have opposing goalsHow does multi-tenancy deal with conflict of interest?Can tenants get along together and ‘play nicely’ ?If they can’t, can we isolate them?How to provide separation between tenants?Cloud Computing brings new threatsMultiple independent users share the same physical infrastructureThus an attacker can legitimately be in the same physical machine as the targetWho are my neighbors? What is their objective? They present another facet of risk and trust requirements
14Taxonomy of Fear Confidentiality Fear of loss of control over data Will the sensitive data stored on a cloud remain confidential?Will cloud compromises leak confidential client dataWill the cloud provider itself be honest and won’t peek into the data?IntegrityHow do I know that the cloud provider is doing the computations correctly?How do I ensure that the cloud provider really stored my data without tampering with it?From 
15Taxonomy of Fear (cont.) AvailabilityWill critical systems go down at the client, if the provider is attacked in a Denial of Service attack?What happens if cloud provider goes out of business?Would cloud scale well-enough?Often-voiced concernAlthough cloud providers argue their downtime compares well with cloud user’s own data centersFrom 
16Taxonomy of Fear (cont.) Privacy issues raised via massive data miningCloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clientsIncreased attack surfaceEntity outside the organization now stores and computes data, and soAttackers can now target the communication link between cloud provider and clientCloud provider employees can be phishedFrom 
17Taxonomy of Fear (cont.) Auditability and forensics (out of control of data)Difficult to audit data held outside organization in a cloudForensics also made difficult since now clients don’t maintain data locallyLegal dilemma and transitive trust issuesWho is responsible for complying with regulations?e.g., SOX, HIPAA, GLBA ?If cloud provider subcontracts to third party clouds, will the data still be secure?From 
18Taxonomy of Fear (cont.) Cloud Computing is a security nightmare and it can't be handled in traditional ways.John ChambersCISCO CEOSecurity is one of the most difficult task to implement in cloud computing.Different forms of attacks in the application side and in the hardware componentsAttacks with catastrophic effects only needs one security flaw(http://www.exforsys.com/tutorials/cloud-computing/cloud-computing-security.html)
19Threat ModelA threat model helps in analyzing a security problem, design mitigation strategies, and evaluate solutionsSteps:Identify attackers, assets, threats and other componentsRank the threatsChoose mitigation strategiesBuild solutions based on the strategiesFrom 
20Threat Model Basic components Attacker modeling Attacker goals Choose what attacker to considerinsider vs. outsider?single vs. collaborator?Attacker motivation and capabilitiesAttacker goalsVulnerabilities / threatsFrom 
21What is the issue? The core issue here is the levels of trust Many cloud computing providers trust their customersEach customer is physically commingling its data with data from anybody else using the cloud while logically and virtually you have your own spaceThe way that the cloud provider implements security is typically focused on they fact that those outside of their cloud are evil, and those inside are good.But what if those inside are also evil?From 
22Attacker Capability: Malicious Insiders At clientLearn passwords/authentication informationGain control of the VMsAt cloud providerLog client communicationCan read unencrypted dataCan possibly peek into VMs, or make copies of VMsCan monitor network communication, application patternsWhy?Gain information about client dataGain information on client behaviorSell the information or use itselfFrom 
23Attacker Capability: Outside attacker What?Listen to network traffic (passive)Insert malicious traffic (active)Probe cloud structure (active)Launch DoSGoal?IntrusionNetwork analysisMan in the middleCartographyFrom 
24Challenges for the attacker How to find out where the target is located?How to be co-located with the target in the same (physical) machine?How to gather information about the target?From 
25Part II: Security and Privacy Issues in Cloud Computing - Big Picture From  Cloud Security and Privacy by Mather and Kumaraswamy
26Data Security and Storage Several aspects of data security, including:Data-in-transitConfidentiality + integrity using secured protocolConfidentiality with non-secured protocol and encryptionData-at-restGenerally, not encrypted , since data is commingled with other users’ dataEncryption if it is not associated with applications?But how about indexing and searching?Processing of data, including multitenancyFor any application to process dataFrom  Cloud Security and Privacy by Mather and Kumaraswamy
27Data Security and Storage (cont.) Data lineageKnowing when and where the data was located w/i cloud is important for audit/compliance purposese.g., Amazon AWSStore <d1, t1, ex1.s3.amazonaws.com>Process <d2, t2, ec2.compute2.amazonaws.com>Restore <d3, t3, ex2.s3.amazonaws.com>Data provenanceComputational accuracy (as well as data integrity)E.g., financial calculation: sum ((((2*3)*4)/6) -2) = $2.00 ?How about dollars of different countries?Correct exchange rate?Data remanenceInadvertent disclosure of sensitive information is possibleFrom  Cloud Security and Privacy by Mather and Kumaraswamy
28What is Privacy?The concept of privacy varies widely among (and sometimes within) countries, cultures, and jurisdictions.It is shaped by public expectations and legal interpretations;as such, a concise definition is elusive if not impossible.Privacy rights or obligations are related to the collection, use, disclosure, storage, and destruction of personal dataAt the end of the day, privacy is about the accountability of organizations to data subjects, as well as the transparency to an organization’s practice around personal information.From  Cloud Security and Privacy by Mather and Kumaraswamy
29What Are the Key Privacy Concerns? Typically mix security and privacySome considerations to be aware of:StorageRetentionDestructionAuditing, monitoring and risk managementPrivacy breachesWho is responsible for protecting privacy?From  Cloud Security and Privacy by Mather and Kumaraswamy
31Security Issues in the Cloud In theory, minimizing any of the issues would help:Third Party Cloud ComputingLoss of ControlTake back controlData and apps may still need to be on the cloudBut can they be managed in some way by the consumer?Lack of trustIncrease trust (mechanisms)TechnologyPolicy, regulationContracts (incentives)Multi-tenancyPrivate cloudTakes away the reasons to use a cloud in the first placeVPC: its still not a separate systemStrong separationWhile VPC providers argue that they provide superior isolation, the fact of the matter is that your data is not a separate physical system: your data is still stored on actual servers along with other consumers’ data, but logically separated. If the actual server fails, your data and applications stored on it are lost. Also, there needs to be a high level of trust as to the degree of isolation provided.
32Third Party Cloud Computing Known issues: Already existConfidentiality issuesMalicious behavior by cloud providerKnown risks exist in any industry practicing outsourcingProvider and its infrastructure needs to be trusted
33New Vulnerabilities & Attacks Threats arise from other consumersDue to the subtleties of how physical resources can be transparently shared between VMsSuch attacks are based on placement and extractionA customer VM and its adversary can be assigned to the same physical serverAdversary can penetrate the VM and violate customer confidentiality
34More on attacks…Collaborative attacksMapping of internal cloud infrastructureIdentifying likely residence of a target VMInstantiating new VMs until one gets co-resident with the targetCross-VM side-channel attacksExtract information from target VM on the same machine
35More on attacks…Can one determine where in the cloud infrastructure an instance is located?Can one easily determine if two instances are co-resident on the same physical machine?Can an adversary launch instances that will be co-resident with other user instances?Can an adversary exploit cross-VM information leakage once co-resident?Answer: Yes to all
36Minimize Lack of Trust: Policy Language Consumers have specific security needs but don’t have a say-so in how they are handledCurrently consumers cannot dictate their requirements to the provider (SLAs are one-sided)Standard language to convey one’s policies and expectationsAgreed upon and upheld by both partiesStandard language for representing SLAsCreate policy language with the following characteristics:Machine-understandable (or at least processable),Easy to combine/merge and compareThese SLAs typically state the high level policies of the provider (e.g. Will maintain uptime of 98%) and do not allow cloud consumers to dictate their requirements to the provider. COI clouds in particular have specific security policy requirements that must be met by the provider, due to the nature of COIs and the missions they are used for. These requirements need to be communicated to the provider and the provider needs to provide some way of stating that the requirements can be met. Cloud consumers and providers need a standard way of representing their security requirements and capabilities. Consumers also need a way to verify that the provided infrastructure and its purported security mechanisms meet the requirements stated in the consumer’s policy (proof of assertions). For example, if the consumer’s policy requires isolation of VMs, the provider can create an assertion statement that says it uses cache separation to support VM isolation.
37Minimize Lack of Trust: Certification Some form of reputable, independent, comparable assessment and description of security features and assuranceSarbanes-Oxley, DIACAP, DISTCAP, etcRisk assessmentPerformed by certified third partiesProvides consumers with additional assurance
38Minimize Loss of Control: Monitoring Cloud consumer needs situational awareness for critical applicationsWhen underlying components fail, what is the effect of the failure to the mission logicWhat recovery measures can be takenby provider and consumerRequires an application-specific run-time monitoring and management tool for the consumerThe cloud consumer and cloud provider have different views of the systemEnable both the provider and tenants to monitor the components in the cloud that are under their controlWhen the underlying components fail in the cloud, the effect of the failures to the mission logic needs to be known so that correct recovery measures can be performed. We propose an application-specific run-time monitoring and management tool. With this tool, the application logic can remain on the consumer’s host computer. This allows the consumer to centrally monitor all aspects of the application as well as data flow. Since all outputs from underlying services are sent to the application logic, any data incompatibility between services is not an issue. The capabilities of the run-time monitoring and management tool are as follows: 1) Enable application user to determine the status of the cloud resources that may be used to run the application (across multiple clouds), 2) Enable application user to determine the real-time security posture and situational awareness of the application, 3) Provide the application user with the ability to move user’s application (or part of it) to another site (other VM in same cloud or different cloud altogether), 4) Provide the application user with the ability to change the application logic on the fly, 5) Provide communicate capabilities with cloud providers. There are a few cloud vendors such as NimSoft  and Hyperic  that provide application-specific monitoring tools that provide some of the above functionality. These monitoring tools may be further enhanced or used in conjunction with other tools to provide the degree of monitoring required. However, any tool that is to be used for military purposes must also receive some type of accreditation and certification procedure.
39Minimize Loss of Control: Monitoring (Cont.) Provide mechanisms that enable the provider to act on attacks he can handle.infrastructure remappingcreate new or move existing fault domainsshutting down offending components or targetsand assisting tenants with porting if necessaryRepairsProvide mechanisms that enable the consumer to act on attacks that he can handleapplication-level monitoringRAdAC (Risk-adaptable Access Control)VM porting with remote attestation of target physical hostProvide ability to move the user’s application to another cloud
40Minimize Loss of Control: Utilize Different Clouds The concept of ‘Don’t put all your eggs in one basket’Consumer may use services from different clouds through an intra-cloud or multi-cloud architectureA multi-cloud or intra-cloud architecture in which consumersSpread the riskIncrease redundancy (per-task or per-application)Increase chance of mission completion for critical applicationsPossible issues to consider:Policy incompatibility (combined, what is the overarching policy?)Data dependency between cloudsDiffering data semantics across cloudsKnowing when to utilize the redundancy featuremonitoring technologyIs it worth it to spread your sensitive data across multiple clouds?Redundancy could increase risk of exposureDifferering data semantics example: does a data item labeled secret in one cloud have the same semantics as another piece of data also labeled secret in a different cloud?
41Minimize Loss of Control: Access Control Many possible layers of access controlE.g. access to the cloud, access to servers, access to services, access to databases (direct and queries via web services), access to VMs, and access to objects within a VMDepending on the deployment model used, some of these will be controlled by the provider and others by the consumerRegardless of deployment model, provider needs to manage the user authentication and access control procedures (to the cloud)Federated Identity Management: access control management burden still lies with the providerRequires user to place a large amount of trust on the provider in terms of security, management, and maintenance of access control policies.This can be burdensome when numerous users from different organizations with different access control policies, are involvedIn cloud computing (as well as other systems), there are many possible layers of access control. For example, access to the cloud, access to servers, access to services, access to databases (direct and queries via web services), access to VMs, and access to objects within a VM. Depending on the deployment model used, some of these will be controlled by the provider and others by the consumer.For example, Google Apps, a representative SaaS Cloud controls authentication and access to its applications, but users themselves can control access to their documents through the provided interface to the access control mechanism. In IaaS type approaches, the user can create accounts on its virtual machines and create access control lists for these users for services located on the VM.Regardless of the deployment model, the provider needs to manage the user authentication and access control procedures (to the cloud). While some providers allow federated authentication – enabling the consumer-side to manage its users, the access control management burden still lies with the provider. This requires the user to place a large amount of trust on the provider in terms of security, management, and maintenance of access control policies. This can be burdensome when numerous users from different organizations with different access control policies, are involved. This proposal focuses on access control to the cloud. However, the concepts here could be applied to access control at any level, if deemed necessary. We propose a way for the consumer to manage the access control decision-making process to retain some control, requiring less trust of the provider.Approach:This approach requires the client and provider to have a pre-existing trust relationship, as well as a pre-negotiated standard way of describing resources, users, and access decisions between the cloud provider and consumer. It also needs to be able to guarantee that the provider will uphold the consumer-side’s access decisions. Furthermore, we need to show that this approach is at least as secure as the traditional access control model.This approach requires the data owner to be involved in all requests. Therefore, frequent access scenarios should not use this method if traffic is a concern. However, many secure data outsourcing schemes require the user to grant keys/certificates to the query side, so that every time the user queries a database, the owner needs to be involved. Therefore, not much different than that so may not be a problem.
42Minimize Loss of Control: Access Control (Cont.) Consumer-managed access controlConsumer retains decision-making process to retain some control, requiring less trust of the providerRequires the client and provider to have a pre-existing trust relationship, as well as a pre-negotiated standard way of describing resources, users, and access decisions between the cloud provider and consumer.It also needs to be able to guarantee that the provider will uphold the consumer-side’s access decisions.Should be at least as secure as the traditional access control model.
43Minimize Loss of Control: Access Control Cloud Provider in Domain ACloud Consumer in Domain BIdentityProvider1. Authn requestIDPPolicyEnforcementPoint(intercepts allresourceaccess requestsfrom all clientdomains)3. Resource request (XACML Request) + SAML assertion2. SAML Assertion4. Redirect to domain of resource owner5. Retrieve policyfor specified resource.PolicyDecisionPointfor cloudresourceon Domain AACM(XACMLpolicies)resources7. Send signed and encrypted ticket6. Determine whether user can accessspecified resource7. Create ticket for grant/deny8. Decrypt and verify signature9. Retrieve capability from ticket10. Grant or deny access based on capabilitySecurity Assertion Markup Language eXtensible Access Control Markup Language
44Minimize Loss of Control: IDM Motivation User on Amazon CloudNamePasswordBilling AddressShipping AddressCredit CardNameBilling AddressCredit CardNamePasswordBilling AddressShipping AddressCredit CardNameShipping AddressNameShipping Address
45Minimize Loss of Control: IDM Identity in the Cloud User on Amazon CloudNamePasswordBilling AddressShipping AddressCredit CardNameBilling AddressCredit CardNamePasswordBilling AddressShipping AddressCredit CardNameShipping AddressNameShipping Address
46Minimize Loss of Control: IDM Issues in Cloud Computing Cloud introduces several issues to IDMUsers have multiple accounts associated with multiple service providers.Present IDMs require a trusted third party and do not work on an untrusted host.Lack of trustUse of Trusted Third Party is not an optionCloud hosts are untrustedLoss of controlCollusion between Cloud ServicesSharing sensitive identity information between services can lead to undesirable mapping of the identities to the user.IDM in Cloud needs to be user-centric
47Minimize Multi-tenancy Can’t really force the provider to accept less tenantsCan try to increase isolation between tenantsStrong isolation techniques (VPC to some degree)QoS requirements need to be metPolicy specificationCan try to increase trust in the tenantsWho’s the insider, where’s the security boundary? Who can I trust?Use SLAs to enforce trusted behavior
48ConclusionCloud computing is sometimes viewed as a reincarnation of the classic mainframe client-server modelHowever, resources are ubiquitous, scalable, highly virtualizedContains all the traditional threats, as well as new onesIn developing solutions to cloud computing security issues it may be helpful to identify the problems and approaches in terms ofLoss of controlLack of trustMulti-tenancy problems